message can be 'signed' using a privately held encryption key. Anyone
can verify this signature
using the corresponding publicly revealed encryption key. Signatures cannot be
forged, and a signer cannot later deny the validity of his signature. This has
obvious applications in 'electronic mail' and 'electronic
funds transfer' systems...
Rivest, Shamir, Adleman; A method for obtaining digital signatures and public-key
cryptosystems; Communications of the ACM;
Public Key Cryptography (PKC)
enables you to send a digital
signature across the Internet to verify a document actually came
digital signature is like a normal signature, in that it identifies you uniquely
and is difficult to fake. A digital signature can be added to an email, document,
or other file that you send to someone else using PKC,
enabling the addressee to verify that the communication actually came from you.
In practice, real implementation of digital signature
systems was a prerequisite to widespread adoption of financial and legal communications
The full description of the digital signature process is described below. Remember
that everyone using PKC has two keys, one private and one public, either of which can decrypt messages encrypted with the other.
- Encrypt message. As normal, first the sender encrypts
the message with the recipient's public key.
- Add signature. Then the sender adds their signature to the encrypted message,
perhaps some text like "This message is from John Smith", and then
encrypts the whole thing with their own private key.
- Decrypt signature. The recipient receives the message and decrypts it with
the sender's public key, which produces the digital signature and the encrypted
- Decrypt message. The recipient then decrypts the remaining message with their
own private key.
If this unwrapping procedure works, revealing a legible digital signature
and a legible message, then the recipient can be sure that the message was
since only they are in possession of the private key used to encrypt
the entire message.
In practice, the PGP
system implements digital signatures by encrypting only a compact cryptographic
checksum of the sender's message with the private key, thereby providing a
smaller and more efficient
attachment that still ensures that the signature is for the message it
In the late 1990's and early part of the 2000's, more and more countries
starting passing legislation recognizing the legal validity of digital signatures
in order to provide a foundation for adoption of business on the Internet.
of companies even established businesses to provide digital signatures
to other online business, such as Verisign.